The data protection legislation in both Guernsey and Jersey prescribe offences of knowingly or recklessly obtaining or disclosing personal data (or the information contained within it) without the consent of the relevant controller. These mirror the offences set out in the UK’s Data Protection Act 2018.

It should be emphasised that a person acting in this manner commits a criminal offence (subject to proving any available defence). This is not a case of civil liability and hoping to rely on professional indemnity insurance to cover the costs of the error. On conviction for this particular offence, perpetrators in Jersey face the imposition of a fine, and those in Guernsey risk a combination of a fine and/or prison sentence of up to two years. Furthermore, where that individual is working in the financial services industry, theft of personal data is likely to be viewed seriously by the GFSC and JFSC when it comes to assessing whether an individual should be regarded as fit and proper.

Nevertheless, it seems that the threat of criminal sanction has not proved to be a sufficient deterrent to certain disgruntled or overly curious employees. Two very recent UK cases (dealt with under the previous regime of the Data Protection Act 1998), resulted in the imposition of fines on employees who unlawfully accessed patient medical records and the personal data of customers of a car dealership.

In Guernsey, February 2019 saw the acquittal of a hospital employee facing prosecution for unlawfully accessing patient records without proper justification, and judicial criticism that the employer did not, apparently, have in place a suitably accessible data protection policy at the relevant time. Whilst the new data protection regimes in both the UK and Guernsey will no doubt have led to changes and improvements in the approaches of the businesses or departments concerned, the actions of employees (whether “rogue” or inadvertent) remain one of the main sources of concern for boards.

Unfortunately for businesses, the ramifications of deliberate breaches by employees do not stop at the point of individual criminal sanction for the perpetrator.

A stark warning lies in the well-publicised case involving the deliberate circulation of employees’ payroll data by a disgruntled internal auditor of the Morrisons supermarket chain. The Court of Appeal in the UK upheld the High Court’s finding that, notwithstanding that the perpetrator’s actions were deliberate and intended to cause harm to Morrisons, the employer was vicariously liable for those actions (and the compensation sought by the employees).

It will be of concern to businesses that the deliberate act of a disgruntled employee can result in the employer shouldering loss claimed by the ultimate victims of the data breach. On policy grounds, it is understandable that the rights of the data subjects are best protected by way of civil redress against a financially stable (and usually insured) business. Whilst the sight of individual perpetrators being prosecuted may bring short term satisfaction for those impacted, there is often no effective redress or compensation available.

All is not lost – businesses can minimise their risk, in the following ways:

1. Regular staff training on data protection policy, including updates and refresher training, ensuring that staff understand and acknowledge their individual obligations and those of the business. Culture is key.

2. Pessimistic security measures limiting access to personal data to staff that require it for a specific and legitimate purpose.

3. Monitoring staff access to personal data held by the business so as to detect any unusual patterns of access or extraction.

4. Regular reviews of personal data inventories held by the business so as to ensure compliance with restrictions on time limits for its retention.

If properly implemented and maintained, the above measures will assist a business to reduce the risk of accidental or deliberate conduct by staff that could result in civil or criminal liabilities. Building a culture of security and trust within an organisation and with customers is vital to maintaining success in today’s digital economy.

Share
Twitter LinkedIn Email Save as PDF
More Publications
27 Sep 2022

Similar but Different

While the basic features of the trust remain, there are some notable differences in how trusts can b...

7 Sep 2022

ESG Series Part 1: Climate Change – What on Earth is going on?

‘ESG’ has well and truly arrived, and has triggered a new age in business and financial investme...

7 Jun 2022

New Regulations and Requirements for Local Charities

The Charities etc. (Guernsey and Alderney) Ordinance, 2021 (Ordinance) and the raft of regulations t...

Contributors: Lisa Upham
20 May 2022

Lasting Powers of Attorney

The long-awaited Capacity (Lasting Powers of Attorney) (Bailiwick of Guernsey) Ordinance, 2022 (LPA ...

23 Feb 2022

Anonymisation of decisions: an invitation to consider this more but the unscrupulous need not apply!

The adage that ‘justice must not only be done, but must also be seen to be done” derives from a ...

7 Dec 2021

Notaries, E-Apostilles and Technological Changes

Notaries form the oldest branch of the legal profession. Their origins can be traced back to the Ro...

25 Nov 2021

Regulatory Approach to ESG across the Crown Dependencies

New requirements may require investment products to display a label reflecting their sustainability ...

5 Oct 2021

Notaries: Are Simple Certifications a Thing Anymore?

Notaries are primarily concerned with the authentication and certification of signatures, authority ...

30 Jul 2021

Fighting international fraud

First published in New Law Journal, July 2021. Appleby partners Anthony William and Jared Dann an...

Contributors: Jared Dann, Claire Corkish
20 May 2021

The Gender Pay Gap Debate – a response to comments on social media

As a lawyer the majority of articles we write are about a particular case or a legal issue – which...